30C3 CTF - rsync Writeup

The task give us a pcap containing a small rsync communication. Looking deeply into it we we’ll see that the rsync client is trying to retrive a file using the module “flag” but the there isn’t any transferring of it actually. But looking on wireshark at the biggest block sized 412 you will some interesting things. First of all I extracted an hex stream of the packet and then replaced the 00 with | for make it more clear. After that you can see some MD5 hashes “padded” with strings like “ba04…” or “ba05…”, except one. Like this:

ba 05 01 30    e1906c422714eb1385315767c466f30b (30C)
ba 05 01 32    aa557033e5bc8091a88db5915c8a04bb (2d7)
ba 05 01 33    2e1c6ef401c6f4e66790a9df179b885f (1b4)
ba 05 01 36    1543843a4723ed2ab08e18053ae6dc5b (395)
ba 05 01 37    a23e10ddc6117ee143b1241b024c7e54 (8e9)
ba 05 01 39    17b9d2ad2691d639cacb18811c7f1add (c67)

ba 04 02 30 31  bf9eef1e9fe88aa3a54c6ca03e862b12 (3_b)
ba 04 02 30 34  f79921bbae40a577928b76d2fc3edc2a (688)
ba 04 02 30 35  013d407166ec4fa56eb1e1f8cbe183b9 (138)
ba 04 02 31 30  a4d751f128596dee5517d8a007e6ea02 (be4)
ba 04 02 31 31  b597e5b0e7970deda3d6cf8017b929b7 (a7e)
ba 04 02 31 32  e3a52fecab0b4e8125873849cd99103a (e\x0a\x00)

c0 fe ff       39c4de73711fea02c5468558541ea581 (5db)

Now, cracking those hashes it’s fairly easy, just google them. It’s all 3-chars strings and putting them together like I did up here its clearly the flag! But this isn’t enough infact they are shuffled and we need to order them in the correct way. But first we can immediatly recognise what is the start and end. All flag in this CTF starts with 30C3_ so the start will be: 30C_3b (e1906c422714eb1385315767c466f30b+bf9eef1e9fe88aa3a54c6ca03e862b12)  while the end is ‘e’ (e3a52fecab0b4e8125873849cd99103a) because is followed by the terminator chars (newline+nullbyte) that ends a string.

I coded a little script for find this hash, since google failed:

http://pastebin.com/9UN6V8MT

For retrive the indexes to sort the others just look at the offset (remeber the “padding”?) and the last numbers e.g:

ba 04 02 30 35  013d407166ec4fa56eb1e1f8cbe183b9 (138)

this part of flag has index ‘05’ because the hex of the last 2 chars is 0x3035 that is 05

ba 04 02 31 31  b597e5b0e7970deda3d6cf8017b929b7 (a7e)

this part of flag has index ‘11’ beacuse the hex last 2 chars is 0x3131 that is 11

ba 05 01 33    2e1c6ef401c6f4e66790a9df179b885f (1b4)

this part of flag has index ‘3’ because the hex of the last char is 0x33 that is 3

and so on for the others. Now that we have the indexes of every single part of the flag just sort them out and the final string will be:  30C3_b2d71b46881383958e95dbc67be4a7ee

Razor4x